SEBI Releases Consolidated Cybersecurity and Cyber Resilience Framework

The Securities and Exchange Board of India (SEBI) has issued a consultation paper introducing the Consolidated Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities that aims to tackle cybersecurity challenges, enhance cyber resilience, and establish uniform guidelines for all entities under SEBI’s regulation.

The paper provides an overview of the framework’s objectives and highlights its key components. With the increasing use of information technology in the securities market, cybersecurity measures have become crucial for SEBI Regulated Entities (REs).

In the past, SEBI has issued various cybersecurity and cyber resilience frameworks to address these risks and promote best practices among REs. To enhance the scope and effectiveness of these measures, SEBI has drafted the master framework on cybersecurity and cyber resilience in consultation with its High-Powered Steering Committee – Cyber Security (HPSC-CS). The CSCRF follows a graded approach and is divided into three parts: applicable to all REs, applicable to specified REs, and applicable to Market Infrastructure Institutions (MIIs).

The framework is based on the five functions of cybersecurity: Identify, Protect, Detect, Respond, and Recover, as defined by the NIST. It references globally recognized standards such as NIST SP 800-53, COBIT 5, and CIS controls for implementing cybersecurity controls and achieving desired outcomes.

The framework emphasizes the identification and classification of critical assets, formulation of comprehensive cybersecurity policies, scenario-based testing, and accountability for third-party services. It also addresses aspects such as log retention, access control, encryption, software development environments, vulnerability assessment, API and endpoint security, SOC establishment, incident response management, and recovery planning.

SEBI mandates compliance reporting in standardized formats, including vulnerability assessment and penetration testing (VAPT) reporting and cyber audit reporting. The framework also introduces requirements specific to MIIs, such as ISO 27001 certification and quarterly self-assessment of cyber resilience using the Cyber Capability Index (CCI).

The consultation paper on the Consolidated Cybersecurity and Cyber Resilience Framework (CSCRF) demonstrates SEBI’s commitment to addressing cybersecurity risks and promoting cyber resilience among its regulated entities. The framework provides a structured approach to cybersecurity, incorporating globally recognized standards and best practices.

SEBI invites feedback from stakeholders to ensure that the framework effectively meets the evolving cybersecurity needs of the securities market and all entities under its regulation.